Cybersecurity isn’t just a technical challenge—it’s a business imperative. By now, MSPs all know that offering security-first services is no longer optional—but knowing where to start, how to scale, and what to prioritize can be overwhelming.
So, because we love you, we sat down with Lewis Pope, Head Security Nerd at N-able, to unpack the real-world steps MSPs can take to evolve into MSSP style providers. From building internal expertise and aligning with compliance frameworks to packaging services that resonate with clients, Lewis offers a candid, practical roadmap for MSPs who are ready to level up. Because in today’s threat landscape, readiness isn’t a luxury—it’s the foundation of trust.
What is the first step that an MSP should take to assess its current security maturity, and how do they map out offering a full MSSP-style service?
You need to understand why you are doing this. I break it down into two categories: “I’m doing this because I need to improve and want to make more money,” or “I’m doing this because it is explicitly demanded by my current clients or aligns with my ideal client profile”—which is more compliance-driven.
If you decide your motivator is that you’re just looking at this as an opportunity, you’ve probably been doing a lot of these things—you just haven’t been telling the right story. So it’s about reassessing what it is you’re currently doing and aligning it to security.
Making that change to focus on security means you now offer vulnerability remediation and mitigation services of which patch management is an important component. You’ll be repositioning what you’re doing and telling a better story. If it is for compliance purposes, it’s choosing what compliance it is.
When it comes to practical security controls, what are the must-have controls? Which ones deliver the biggest risk reduction for the smallest overheads?
When you move into more MSSP-type services, one of the things you become more involved with is prevention of cybercrime. There are expectations around how you gather evidence. A SIEM [Security and Information Event Management] can handle so much of the heavy lifting of recording the telemetry and evidence of what happens during an incident that will be vital for understanding what happened, and more importantly what is currently happening. I think you must have one in the next year or so. If you don’t have something like that in place, you’re seriously behind. At N-able, we have SIEM functionality as a core component of our Adlumin MDR offering. A SIEM can power that evidence collection and allow you to apply your XDR and MDR capabilities against that entire data set because threats don’t just operate on the endpoint anymore. A threat can start out in the Cloud and then become an internal threat.
How can MSPs build and sustain the internal expertise that’s required to run that 24/7 detection response and threat scanning service?
Today, you need true 24/7, 365 humans on keyboards in front of screens who can respond to an event in minutes, not hours.
It is not a tool that you go and purchase. If you are going 24/7, it takes talented individuals finding those talented individuals, and certifying them. Look towards the major certificate vendors. All of them have their version of a SOC analyst or Security Plus or Cloud Security. You want a security analyst, which is a different set of skills. They come at a premium.
Ask yourself the honest question of, “Can I find just over 8,700 hours of payroll to pay just to have one person on shift 24/7 throughout the year”?
That’s where maybe instead of moving into the MSSP sphere, you partner with an MSSP and split the workload. Your path to profitability should be much faster and smoother.
How can MSPs on the road to an MSSP offering weave in industry frameworks into their service delivery?
Again, it’s the “Who are your clients?” question. The easiest way is to sit down and read the frameworks and standards, which are freely available, like the NIST cybersecurity framework or the CIS version. Don’t go and pay for training courses as your first step.
Use it as a gap analysis. You’ll come out of it with things you can’t do and figure out how you can do them. The NIST Cybersecurity Framework and ISO 27002 are a lot longer. Ask yourself, “Are we doing this just to be better or is it for compliance purposes?” And if it is for compliance purposes, are you doing this as part of the CSO work or compliance-as-a-service work? That’s your driving force.
If you can build that underneath a vCISO [Virtual Chief Information Security Officer] offering or compliance-as-a-service offering, it’s one additional revenue opportunity. A vCISO service enables you to support larger clients whose security needs exceed what you can manage alone. It’s a revenue opportunity you might be able to build over time.
Incident response is often make or break in the service line in a contract. What would be your advice on creating clear service level agreements that both MSPs and their clients can trust?
One of the first things I ask is, “Do you have a shared responsibility matrix with every one of your clients?” and, “Are you managing and maintaining a risk register for every one of your clients?” If you ask these questions, you can set proper expectations with your clients about what incident responses, SLAs, and SLOs are going to look like.
And before you go talk to your clients about it, do it for yourself. You will figure out all these extra considerations you need to be making around incident response.
You need to have a conversation with your clients about the expectations of their insurance coverage. You should be getting the information of your client’s cyber insurance providers today so you can reach out to them and ask, “What is the SOP? What are the expectations? Can you provide me with a list of the DFIR [digital forensics and incident response] firms that you’re going to engage with?”
What operational pitfalls do MSPs commonly encounter when they start to build out and scale cybersecurity offerings, and how can they streamline those processes to avoid burnout?
Know that none of this is going to be solved by a new tool. The majority is going to be process and procedures, documentation, workflows, doing the “boring” work of risk registers and reviewing it with your clients, because they are the ones in the end that are accountable.
As an MSP, you’ll start understanding your client’s business better than they do. And you’ll see the landmines. Even if they’re not going to pay you for it, your findings will still need to go in the risk register; because if you don’t bring it up and that’s what burns them, then you’re going to have to explain why you never brought it up.
Cybersecurity can be a tough sell to clients. How should they package, price and position new security or service offerings that resonate with the existing clients, but also keep the door open to new clients?
There are tons of ways to approach this based on who you are as an MSP, your internal culture, what your plans for your MSP going forward are.
Line iteming your services really hurts you because it gives clients an opportunity to have an argument with you about why they do or do not need this particular thing. It should be a consolidated package where you’re not exposing the cost of each individual component.
Instead of describing the tool you’re using, describe the outcomes you’re delivering. Clients are not going to care about which tool you use to handle patching or to remote access their systems. They’re going to care if it’s safe and secure.
It also makes it a lot easier on your sales team. They’re able to sell them the outcomes.
That’s when they can say that you’re including patching, endpoint management, data recovery, business continuity, disaster recovery planning, vulnerability management, XDR, SIEM, end user cybersecurity awareness training, email security, your Microsoft licensing, or your Google workspace. You bring all of those together and that’s how you get to an amount per seat.
Looking at the threat landscape today, where do you see the greatest growth opportunities for MSPs? Can the MSP and MSSP or MSSP-style model live side by side in harmony?
I believe they can live side by side. They reinforce each other. They can cover each other’s gaps.
I think the bigger thing is being ready. More business conversations need to be had. Risk management needs to be a part of what you’re doing—being able to sit down with a client and help them calculate their annualized loss expectancy from events. Do they understand what it’s going to look like if you have to restore their entire environment?
Honest conversations are how you get clients to say, “No, that’s not acceptable”. Then you can say “No, it’s not, we’re going to have to spend a lot more money to get you to something that is acceptable for you”. Make no assumptions on what your clients are willing to pay. And if brutal honesty gets you into a position with a client or a prospect where they turn their nose up at you, take that as an indicator that the risk they represent may not be worth it.
